Deploying Postfix with LDAP (FreeIPA) virtual aliases and Kerberos Authentication
For those of you looking for a way to set up Postfix so your client base can login with Single Sign On, this article is for you.
Here we will be walking through configuring postfix for the following criteria:
- LDAP based User lookups (In this article I have used FreeIPA 3.0)
- Single Sign On authentication for mail sending.
- Enabling TLS based connections using FreeIPA as the Certificate Authority.
Please be aware that this article does not cover accessing a user’s mailbox as this is covered in the following article.
Before I continue I’d like to thank Loris Santamaria and Anthony Messina from the freeipa-users@redhat.com mailing list for their assistance in getting this solution working.
Details used in this article are as follows:
FreeIPA Servers: ds01.example.com, ds02.example.com Postfix Server: mail.example.com IPA Test user: ipauser1
Enable LDAP virtual alias maps
A virtual alias map in Postfix allows you to map users from varying sources so that Postfix will know to accept mail for that user. This is advantageous as it means you don’t have to manually create a local user on the server in order for mail to be received.
Step 1. To set up the LDAP based map, please run the following commands on your Postfix Server.
[root@mail ~]# postconf -e 'virtual_alias_domains = example.com' [root@mail ~]# postconf -e 'virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf'
Step 2. Create the /etc/postfix/ldap_aliases.cf file with the below content
Please note that the below config will enable TLS queries to your FreeIPA server.
server_host = ds01.example.com, ds02.example.com search_base = cn=accounts,dc=example,dc=com query_filter = (mail=%s) result_attribute = uid bind = no start_tls = yes version = 3
Step 3. Once you’ve saved your ldap_aliases.cf file, you need to hash file so Postfix can read it.
[root@mail ~]# postmap /etc/postfix/ldap_aliases.cf
Step 4. Now we need to correct the SELinux contexts of the new files so Postfix can read them.
[root@mail ~]# restorecon -R /etc/postfix/
Step 5. Lastly, restart postfix to apply the changes.
[root@mail ~]# service postfix restart Shutting down postfix: [ OK ] Starting postfix: [ OK ] [root@mail ~]#
Setting up Single Sign on for authentication
This step requires configuring FreeIPA, SASL and a bit of Postfix for good measure.
Lets start with FreeIPA.
Step 1. On your FreeIPA server, create a new service principle for your Postfix server
[root@ds01 ~]# ipa service-add smtp/mail.example.com -------------------------------------------------- Added service "smtp/mail.example.com@EXAMPLE.COM" -------------------------------------------------- Principal: smtp/mail.example.com@EXAMPLE.COM Managed by: mail.example.com [root@ds01 ~]#
Step 2. Now we need to download that new service principle to the Postfix server. Make sure you set the right permissions to the keytab as well.
[root@mail ~]# ipa-getkeytab -s ds01.example.com -p smtp/mail.example.com -k /etc/postfix/smtp.keytab [root@mail ~]# chown root:mail /etc/postfix/smtp.keytab [root@mail ~]# chmod 640 /etc/postfix/smtp.keytab
Step 3. Configure SASL
Edit the file /etc/sasl2/smtpd.conf so that it reads as follows.
pwcheck_method: saslauthd mech_list: GSSAPI PLAIN LOGIN Edit the file /etc/sysconfig/saslauthd so that it reads as follows # Directory in which to place saslauthd's listening socket, pid file, and so # on. This directory must already exist. SOCKETDIR=/var/run/saslauthd # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled with the ablity to use. MECH=kerberos5 # Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line. # DAEMONOPTS=--user saslauth # Additional flags to pass to saslauthd on the command line. See saslauthd(8) # for the list of accepted flags. FLAGS=
Step 4. Next run the following commands to configure Postfix for SASL integration
[root@mail ~]# postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab' [root@mail ~]# postconf -e 'smtpd_client_restrictions = permit_sasl_authenticated, reject' [root@mail ~]# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, reject' [root@mail ~]# postconf -e 'smtpd_sender_restrictions = permit_sasl_authenticated, reject' [root@mail ~]# postconf -e 'smtpd_sasl_auth_enable = yes' [root@mail ~]# postconf -e 'smtpd_sasl_security_options = noanonymous' [root@mail ~]# postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options' [root@mail ~]# postconf -e 'broken_sasl_auth_clients = yes' [root@mail ~]# postconf -e 'smtpd_sasl_authenticated_header = yes' [root@mail ~]# postconf -e 'smtpd_sasl_local_domain = $mydomain'
Step 5. Restart services
Lastly, restart both saslauthd and postfix services to apply the changes you have made. Also remember to enable saslauthd to start on boot
service saslauthd restart service postfix restart chkconfig saslauthd on
Configuring TLS Connections
Lastly, to top things off, we will enable TLS for our authenticated clients to be able to login securely to the mail server.
Step 1. To begin with, lets request a new certificate from FreeIPA.
On your Postfix server, create a new directory and set required permissions.
[root@mail ~]# mkdir /etc/postfix-certs [root@mail ~]# chcon -t cert_t /etc/postfix-certs
Now lets request the certificate.
[root@mail ~]# ipa-getcert request -r -f /etc/postfix-certs/smtp.crt -k /etc/postfix-certs/smtp.key -N CN=mail.example.com -D mail.example.com -K smtp/mail.example.com
You should now see your new private and public key located in the /etc/postfix-certs folder.
Step 2. Now lets configure postfix to read our new certificate.
Run the following commands on your Postfix server to apply the necessary changes.
[root@mail ~]# postconf -e 'smtpd_tls_auth_only = yes' [root@mail ~]# postconf -e 'smtpd_tls_key_file = /etc/postfix-certs/smtp.key' [root@mail ~]# postconf -e 'smtpd_tls_cert_file = /etc/postfix-certs/smtp.crt' [root@mail ~]# postconf -e 'smtpd_tls_received_header = yes' [root@mail ~]# postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
Step 3. Restart Postfix
You should reload your postfix service in order to apply the new changes.
[root@mail ~]# service postfix restart Shutting down postfix: [ OK ] Starting postfix: [ OK ] [root@mail ~]#
Testing and troubleshooting
Once you have set everything up that you wish, don’t forget to verify your work.
If you have setup TLS connections and single sign on is working fine, you will see the following in your /var/log/maillog file which will indicate a successful implementation.
This shows that the client is authenticating with GSSAPI and SASL at the time the user is sending an email.
Mar 14 11:03:14 mail postfix/smtpd[1994]: 005304162E: client=unknown[10.0.1.101], sasl_method=GSSAPI, sasl_username=ipauser1@example.com
If you have set up LDAP virtual maps as well, go ahead and try and email a user that does not exist and see what happens. You will get a rather rude message saying that the user does not exist.
You will also see logs in /var/log/maillog which look similar to those below.
Mar 14 11:09:18 mail postfix/smtpd[2097]: NOQUEUE: reject: RCPT from unknown[10.0.1.101]: 550 5.1.1 <notarealuser@example.com>: Recipient address rejected: User unknown in local recipient table; from=<ipauser1@example.com> to=<notarealuser@example.com> proto=ESMTP helo=<workstation01.example.com>
